Virtual Private Networks (VPNs) provide a partitioning mechanism for isolating data transmitted and received between customer network nodes even though a corresponding physical network supporting propagation of the data is shared by many users. The data transmitted between such network nodes may be encrypted to protect against eavesdropping and tampering by unauthorized parties. Because the physical network is shared, costs of using resources are generally reduced for each of many users. A typical arrangement involves customer edge (CE) routers communicating via the Internet (or shared backbone) between local area networks (LANs), which the respective edge routers protect. The edge routers establish secure, encrypted links between each other to protect the trusted LANs in the VPN.
A physical network such as a service provider network topology, therefore, may include peripherally located provider edge (PE) routers, each of which couples to one or multiple customer edge (CE) routers. The customer edge routers, in turn, may couple to private local area networks (LANs) associated with one or multiple VPNs. To support operation, the service provider's PE routers typically maintain Virtual Routing and Forwarding (VRF) information dictating how to route and forward traffic through the shared physical network to support corresponding VPNs for the different customer departments. Typically, the service provider network selectively couples the local area networks to each other through links created between its PE routers.
Virtual Private Networks (i.e., VPNs) provide a secured means for transmitting and receiving data between network nodes even though a corresponding physical network supporting propagation of the data is shared by many users. The data transmitted between such network nodes (e.g., edge nodes of a service provider network) may or may not be encrypted to protect against eavesdropping and tampering by unauthorized parties.
Two basic networking requirements have become desirable components of next generation IP networks, namely secure connectivity and network partitioning. It would be desirable to combine both requirements within a VPN infrastructure.
Secure connectivity between members of an IPVPN has typically been satisfied through the use of IP security protocol (IPSec) encryption/authentication. IPsec is part of the NetBSD distributions; it provides per-packet authenticity/confidentiality guarantees between peers communicating using IPsec. IPsec is available for both IPv6 and IPv4.
IPsec comprises several separate protocols in order to provide encryption and authentication. One protocol used by IPsec is known as the Authentication Header (AH) protocol, which provides an authenticity guarantee for packets, by attaching a strong crypto checksum to packets. If a packet was received with AH, and the checksum verification operation was successful, and both parties share a secret key, and no other party knows the key, then the packet was originated by the expected peer (i.e., the packet was not generated by an impersonator), and the packet was not modified in transit. Unlike certain other protocols, AH covers the whole packet, from the IP header to the end of the packet.
Another protocol used in IPsec is the Encapsulating Security Payload (ESP) protocol which provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If a packet received with ESP is successfully decrypted, both parties share a secret key, and no other party knows the key, then the packet was not modified in transit.
Still another protocol used in IPsec is known as IP payload compression (IPcomp). IPcomp provides a way to compress packets before encryption by ESP.
As described above, AH and ESP require a shared secret key between peers. For communication between distant locations the Internet Key Exchange (IKE), is used to negotiate keys in secrecy.
Network partitioning between different departments within a given Enterprise has been satisfied through the use of technology such as VRF-lite or Carrier's Carrier architecture.
According to one conventional technique, a service network may be extended beyond provider edge nodes to customer edge nodes. For example, a connectivity model may be utilized which enables CE nodes to establish a link between each other for transmission of data messages between corresponding interconnected networks.